HTTP will always be open to man-in-the-middle attacks, so if you send your 
password hashed, the same password could still be sent by a third party 
impersonating as your user. This is why HTTPS must be used.

You can use a dedicated user to call your webservices, and if you want to use a 
non-readable password, it is always up to you. Take your word "password", put 
it through a MD5, SHA - or whatever else you like - generator and set it in 
Remedy and in the other system as "5f4dcc3b5aa765d61d8327deb882cf99". This way, 
at least you can pretend it is not clear text.

Except for what was already mentioned (HTTPS) don't forget about firewalling to 
permit access only from specific hosts.
Hope it helps. 

Best regards,

Mihai 



-----Original Message-----
From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker
Sent: Tuesday, November 26, 2013 11:08 PM
To: arslist@ARSLIST.ORG
Subject: Remedy 7.6.04 Web Services Password encryption

Expanding on LJ's response, you may wish to consider SSL client certificates, 
so users of the service can not connect unless they have a client certificate. 
Whilst there's probably no way to get the username from within the (very 
limited) AR System web service implementation, you can at least sleep soundly 
knowing you know who's connecting to it.

_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers 
Are, and have been for 20 years"



The information contained in this e-mail message is privileged and confidential 
and is for the exclusive use of the addressee. The person who receives this 
message and who is not the addressee, one of his employees or an agent entitled 
to hand it over to the addressee, is informed that he may not use, disclose or 
reproduce the contents thereof, and is kindly asked to notify the sender and 
delete the e-mail immediately.

_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"

Reply via email to